Getting Started
API Access
API Reference
Tokens
At the core of every Storefront API or Admin API call is an Access Token. An Access Token represents a permission granted to a Client to access some protected resources on behalf of an End-User or its own behalf.
Access Token
Access Tokens are credentials used to access protected resources. An Access Token is a string representing an authorization issued to the Client, representing specific scopes and durations of access, granted by the Resource Owner, and enforced by the Resource Server and Authorization Server.
Access Tokens are issued to the Client by the Authorization Server and are intended for use only with Resource Server.
Client Token
If a Client is authorized to access resources, which don’t require the permission of an End-User, then the Client Credentials grant flow should be used to request an Access Token.
When an Access Token is requested using the Client Credentials grant type, only an Access Token is returned such as this:
{
"access_token":"lFD4QXrKOp3taYhuw73oj7sJBHvtexW7ucWUH-8ifwc",
"token_type":"Bearer",
"expires_in":7200,
"scope":"storefront client",
"created_at":1645785334
}End-User Token
If an End-User permission is required to access resources, then the Authorization Code grant flow should be used to request an Access Token.
When an Access Token is requested using the Authorization Code grant type, an Access Token, a Refresh Token and an ID Token are returned such as this:
{
"access_token": "ve4FQbWjp9naWaGvJM0bGStwQeuV-FFA9BI-H0L9g0",
"token_type":"Bearer",
"expires_in":7200,
"refresh_token": "iIIBHaM0GCBP2rVGIq5YhsgLGlsM3JSgefjSBqRhMOY",
"scope":"admin openid profile email",
"created_at":1645785334,
"id_token": "eyJ0eXXXAifQ.eyJpc3XXXk1yYWJldCJ9.sLBZpXXX8NHYXk"
}Refresh Token
Refresh Tokens are credentials used to obtain Access Tokens, when the Resource Owner is an End-User i.e. in the context of the Authorization Code flow. A Refresh Token is a string representing the authorization granted to the Client by the Resource Owner.
Refresh Tokens are issued to the Client by the Authorization Server and are used to obtain a new Access Token when the current Access Token becomes invalid or expires. When issuing an Access Token via the Authorization Code flow, the Authorization Server includes a Refresh Token.
Unlike Access Tokens, Refresh Tokens are intended for use only with Authorization Server and are never sent to Resource Server.
ID Token
ID Token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be authenticated. The ID Token is a JSON Web Token (JWT) that contains claims about the identity of the authenticated user, such as name and email.
Unlike the Access Token and Refresh Token, which are usually opaque to the Client, the ID Token can be decoded to extract user information from it to personalise the user's experience in your application. ID Tokens are therefore intended for use by the Client only.
Token Audience
The intended use of each token is as follows:
| Token | Audience |
|---|---|
| Access Token | Resource Server |
| Refresh Token | Authorization Server |
| ID Token | Client Application |